PCI SSC moves quickly to patch XSS flaw

The PCI Security Standards Council (PCI SSC) has patched a Cross-Site Scripting (XSS) vulnerability on its website, pcisecuritystandards.org, after it was discovered late last week.

The flaw was discovered on 19 March 2015 by security researcher BruteForce, and was patched within 24-hours by the PSI SSC. The group is an open global security forum that was launched in 2006 as being responsible for development, management, education and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) requirements. 

The vulnerability related specifically to the public documents library, meaning hackers could potentially access these files, which include reference materials and guidance for the various PCI Standards.

Laura K. Johnson, communications manager for PCI SSC, later told SCMagazineUK.com: "The Council identified a minor vulnerability in the public documents library on the PCI SSC website that was addressed within minutes. No data of any kind was at risk."

Ilia Kolochenko, CEO of information security firm High-Tech Bridge, said in an email to SC: "XSS will become a more frequent and dangerous vector of attacks. It's very difficult to detect high or critical risk vulnerabilities in well-known web products (eg Joomla, WordPress, SharePoint, etc). However, low and medium risk vulnerabilities, such as XSS, will still regularly appear. Sophisticated exploitation of an XSS can give the same outcomes as SQL injection vulnerability, therefore hackers will rely on XSS attacks more and more to achieve their goals."

"Automated security tools and solutions will not be efficient anymore. Web Application Firewalls, Web Vulnerability Scanners or Malware Detection services will not be efficient anymore if used separately or without human control. Both web vulnerabilities and web attacks are becoming more and more sophisticated and complex to detect, and human intervention is almost always necessary to properly detect all the vulnerabilities. It's not enough anymore to patch 90 percent or even 99 percent of the vulnerabilities - hackers will detect the last vulnerability and use it to compromise the entire website."